Assessing Web App Security with Mozilla

Web application assessment is a challenging task for security analysts. Several products and tools are available, each claiming to perform automated analysis on entire applications. Their capabilities include obtaining data, corroborating it, and printing aesthetically appealing reports--all without user intervention.

The nature of web applications is very different from that of standard applications. Many times, these tools miss key vulnerabilities in the application. The best way to perform web application assessment is by using the unassailable combination of automated tools and human intellect. This article examines the LiveHTTPHeaders project, which fits seamlessly into Mozilla browser components to facilitate very effective web application assessment.

Application Assessment Challenges

To perform web application assessment, you need strong HTTP (Hypertext Transfer Protocol) skills--a comprehensive knowledge of how clients and servers communicate over the Web. A web application talks to the client (the web browser) with the HTTP protocol only, with or without SSL support enabled. The HTTP protocol has two parts, the header and the body (or content). Essentially, the header contains key information about the message, which helps servers and clients understand each other. The body of the HTTP contains an HTML block that the browser renders. Assessing a web application involves two tasks:

Performing in-depth HTTP analysis that entails understanding the entire communication sequence between the application and client. Deriving various clues and information about the application from HTTP headers is the next important step.

Manipulating HTTP requests in order to explore both known and as-yet-unearthed web application vulnerabilities necessitates changing HTTP header values and scrutinizing application behavior.

The W3C web site hosts RFC 2616, a complete description of the headers in HTTP/1.1.

Solution to Combat Challenges

The HTTP protocol runs with or without SSL. A level of difficulty in reverse-engineering protocols crops in when HTTP traffic travels over secure channels. There are a couple of ways to solve this:

Sniffing the wire--It is possible to sniff traffic that travels over HTTP ports (80, 443) and collect logs of requests and responses. Your sniffing tool needs SSL sniffing capabilities to monitor SSL requests. It is possible to reproduce similar requests and send these requests back on the wire after manipulation, though not without some difficulty.

HTTP proxy as man-in-the-middle--Existing HTTP/TCP listeners and port-forwarding utilities can act as man-in-the-middle agents, and all HTTP traffic must pass through these agents. In such a situation, HTTP traffic is visible, and the utility can manipulate it as well. One such proxy tool, called Paros, is great for analyzing HTTP and HTTPS communication between server and client.

Those are both complex. Is there a better way to achieve the same objective? Very definitely yes. The answer lies in browser plugins, extensions that add features to a web browser. Mozilla has an extension called LiveHTTPHeaders that can help with web application assessment.